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Abstract 

This paper addresses the problem of resilient consensus in the presence of misbehaving nodes. 
Although it is typical to assume knowledge of at least some nonlocal information when studying secure 
and fault-tolerant consensus algorithms, this assumption is not suitable for large-scale dynamic networks. 
To remedy this, we emphasize the use of local strategies to deal with resilience to security breaches. 
We study a consensus protocol that uses only local information and we consider worst-case security 
breaches, where the compromised nodes have full knowledge of the network and the intentions of the 
other nodes. We provide necessary and sufficient conditions for the normal nodes to reach consensus 
despite the influence of the malicious nodes under different threat assumptions. These conditions are 
stated in terms of a novel graph-theoretic property referred to as network robustness. 

I. INTRODUCTION 

The engineering community has experienced a paradigm shift from centralized to distributed 
system design, propelled by advances in networking and low-cost, high performance embedded 
systems. In particular, this has led to significant interest in the design and analysis of multi- 
agent networks. A multi-agent network consists of a set of individuals called agents, or nodes, 
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equipped with some means of sensing or communicating along with computational resources 
and possibly actuation. Through a medium, which is referred to as the network, the agents share 
information in order to achieve specific group objectives. Some examples of group objectives in- 
clude consensus [|22|. [|26l . synchronization []6]|, [|27l . surveillance 0, and formation control [9]. 
In order for the group objectives to be achieved, distributed algorithms are used to coordinate 
the behavior of the agents. 

There are several advantages to using multiple agents over a single one. First, the objective 
may be complex and challenging, or possibly even infeasible for a single agent to achieve. 
Second, employing many agents can provide robustness in the case of failures or faults. Third, 
networked multi-agent systems are flexible and can support reconfigurability. Finally, there are 
performance advantages that can be leveraged from multiple agents. For example, in surveillance 
and monitoring applications, a multi-agent network provides redundancy and increased fidelity 
of information 0, [fl4l. 

Along with the advantages come certain challenges. Perhaps the most fundamental challenge in 
the design of networked multi-agent systems is the restriction that the coordination algorithms 
use only local information, i.e., information obtained by the individual agent through sensor 
measurements, calculations, or communication with neighbors in the network. In this manner, 
the feedback control laws must be distributed. 

A second challenge lies in the fact that not only is each agent typically a dynamical system, 
but the network itself is dynamic. This challenge arises because the agents may be mobile and 
the environment may be changing, thus giving rise to dynamic (or switching) networks. Since 
the distributed algorithms depend directly on the network, this additional source of dynamics 
can affect the stability and performance of the networked system. 

An especially important challenge is that multi-agent networks, like all large-scale distributed 
systems, have many entry points for malicious attacks or intrusions. For the success of the group 
objective, it is important that the cooperative control algorithms are designed in such a way that 
they can withstand the compromise of a subset of the nodes and still guarantee some notion of 
correct behavior at a minimum level of performance. We refer to such a multi-agent network 
as being resilient to adversaries. Given the growing threat of malicious attacks in large-scale 
cyber-physical systems, this is an important and challenging problem flU. 

One of the most fundamental group objectives is to reach consensus on a quantity of interest. 



This concept is deeply intuitive, yet imprecise. Hence, there are several variations on how 
consensus problems are defined. At one extreme, consensus may be unconstrained, and there is 
no restriction on the agreement quantity. In other cases, consensus may be partially constrained 
by some rule or prescribed to lie in a set of possible agreement values which are in some way 
reasonable to the problem at hand. At the other extreme, consensus may be function constrained, 
or ^-constrained, in which case the consensus value must satisfy a particular function of the 
initial values of the nodes 0, ll28l . In all of these cases, it is important that consensus algorithms 
be resilient to various forms of uncertainty, whether the source of uncertainty is caused by 
implementation effects, faults, or security breaches. 

The problem of reaching consensus resiliently in the presence of misbehaving nodes has 
been studied in distributed computing 031, ll20l . communication networks 0T), and mobile 
robotics 0], J3j, [[El. Among other things, it has been shown that given F Byzantine or malicious 
nodes, there exists a strategy for the misbehaving nodes to disrupt consensus if the network 
connectivity^ is IF or less. Conversely, if the network connectivity is at least 2F + 1, then there 
exists strategies for the normal nodes to use that ensure consensus is reached [|20l . [|23l . fl29l . 
However, these methods either require that normal nodes have at least some nonlocal information 
or assume that the network is complete, i.e., all-to-all communication or sensing 0]|, [0, flU, 
031, 0H1 • Moreover, these algorithms tend to be computationally expensive. Therefore, there is 
a need for resilient consensus algorithms that are low complexity and operate using only local 
information. 

Typically, an upper bound on the number of faults or threats in the network is assumed, i.e., 
at most F out of n nodes fail or are compromised. We refer to this threat assumption, or scope 
of threat, as the F -total model. In cases where it is preferable to make no global assumptions, 
we are interested in other threat assumptions that are strictly local. For example, whenever each 
node only assumes that at most F nodes in its neighborhood are compromised (but there is no 
other bound on the total number of compromised nodes), the scope of threat is F-local. 

In addition to the number of misbehaving nodes, one can consider various threat models 
for the misbehaving nodes; examples include non-colluding ll23l . malicious lfT6l . Il23l . Il29l . or 

'The network connectivity is defined as the smaller of the two following values: (i) the size of a minimal vertex cut and (ii) 
n — 1, where n is the number of nodes in the network. 



Byzantine 0]|, ITT3TI , lfT8l , [|32ll nodes. Non-colluding nodes are unaware of the network topology, 
which other nodes are misbehaving, or the states of non-neighboring nodes. On the other hand, 
malicious nodes have full knowledge of the networked system and therefore, worst case behavior 
must be assumed. The only difference between malicious and Byzantine nodes lies in their 
capacity for deceit. Malicious nodes are unable to convey different information to different 
neighbors in the network, whereas Byzantine nodes can. 

Recently, we have studied resilient algorithms in the presence of misbehaving nodes. In |[T6ll . 
we introduce the Adversarial Robust Consensus Protocol (ARC-P) for consensus in the presence 
of malicious agents under the F-total model in continuous-time complete networks, with the 
agents also modeled in continuous time. The results of lfl6l are extended to both malicious and 
Byzantine threat models in networks with constrained information flow and dynamic network 
topology in lfT8l . In ll34ll . we study general distributed algorithms with F-local malicious adver- 
saries, encompassing ARC-P. In lfT8l . Il34ll . we show that traditional graph theoretic properties 
such as connectivity and degree, which have played a vital role in characterizing the resilience 
of distributed algorithms (see [|20l . [1291 ). are no longer adequate when the agents make purely 
local decisions (i.e., without knowing nonlocal aspects of the network topology). Instead, in ll34l 
we introduce a novel topological property, referred to as network robustness, and show that this 
concept is highly effective at characterizing the ability of purely local algorithms to succeed. 
Separate sufficient and necessary conditions are provided in ||34| for ARC-P to achieve resilient 
consensus in discrete time, and it is shown that the preferential attachment mechanism for 
generating complex networks produces robust graphs. 

In this paper, we continue our study of resilient consensus in the presence of malicious 
nodes while using only local information. We are interested in partially constrained, asymptotic 
consensus in dynamic networks. To allow for multiple interpretations of the results, we formulate 
the problem in a setting common to discrete and continuous time for node dynamics and time- 
invariant or time-varying network topologies. We extend the Adversarial Robust Consensus 
Protocol (ARC-P) introduced in |[T6l to weighted networks. We then describe robust network 
topologies that are rich enough to enable resilience to malicious nodes, but are not too restrictive 
in terms of communication cost (i.e., number of communication links); in particular, we gener- 
alize the robustness property of [|34l . Given these topological properties, we fully characterize 
the consensus behavior of the normal nodes using ARC-P under the F-total model of malicious 



nodes, and provide, for the first time, a necessary and sufficient condition for the algorithm to 
succeed. Additionally, for the F-local threat model, we provide improved separate necessary and 
sufficient conditions for asymptotic agreement of the normal nodes in the presence of malicious 
nodes. 

The rest of the paper is organized as follows. Section [I] introduces the problem in a framework 
common to discrete and continuous time. Section UTT] presents ARC-P in the unified framework. 
Section|lV]rnotivates the need for robust network topologies and introduces the formal definitions. 
The main results are given in Section [V] A simulation example is presented in Section |VH Finally, 
some discussion is given in Section IVIII 

II. PROBLEM FORMULATION 

Consider a time-varying network modeled by the (finite, simple) directed graph, or digraph, 
V[t] = {V, £[t]}, where V = {1, n} is the node set and £[t] C V x V is the directed edge set at 
time t. The nodes are assumed to have unique identifiers that form a totally ordered set X. Without 
loss of generality^, the node set is partitioned into a set of N normal nodes J\f = {1, 2, ... , N} 
and a set of A adversary nodes A = {N + 1, N + 2, . . . , n}, with A = n — N. Let T n denote 
the set of all digraphs on n nodes, which is of course a finite set. Note that V[t] G T n for all 
t, where t G M>o for continuous time and t G Z> for discrete time. When we wish to refer to 
both discrete and continuous time, we generically say at time t. 

The time-varying topology of the network is governed by a piecewise constant switching 
signal cr(-), which is defined on Z> for discrete time and M> for continuous time, and takes 
values in r n . In order to emphasize the role of the switching signal, we denote T> a M = V[t\. 
Let {t/c}, k G Z> denote the set of switching instances. For continuous time, we assume that 
there exists some constant r G M>o such that r^+i — r k > r for all k > 0. In other words, er(-) 
is subject to the dwell time r. 

Each directed edge G £[t] models information flow and indicates that node i can be 

influenced by (or receive information from) node j at time t. The set of in-neighbors, or just 
neighbors, of node i at time t is defined as Vi[t] = {j G V: (j, i) G £[t]} and the (in-)degree of 
i is denoted di[t] =|Vt[t]|. Likewise, the set of out-neighbors of node i at time t is defined as 



2 There exists a bijection from X to V = TV U A. 



V° ut [t] = {j 6 V: (i, j) E £[t]}. Because each node has access to its own state at time t, we also 
consider the inclusive neighbors of node i, denoted Jl[t] = V»[t] U {i}. Note that time-invariant 
networks are represented simply by dropping the dependence on time t. 

A. Update Model 

Suppose that each node i E V begins with some private value Xi[0] E R (representing a 
measurement, opinion, vote, etc.), which evolves over time. Let xj\f[t] = xjt], . . . ,x^[t]\ T 

and x^[t] = [xN+i[t],XN+2[t], ■ ■ ■ ,x n [t]] T denote collectively the value (or statd_|) trajectories of 
the normal and adversary nodes, respectively, and let x[t] = [xjj-[t], x^ A [t]] T . The nodes interact 
synchronously by conveying their value to (out-)neighbors in the network. Each normal node 
updates its value over time according to a prescribed rule, which is modeled as 

D [xi[t]] = f ijCT (t){t,XM,XA), i e ■A/',X> cr (t) E r n , 

where D [xi[t]] = Xi[t] is the derivative operator for continuous time and D [xi[t]] — Xi[t + 1] — 
Xi[t] is the forward difference operator for discrete time. Collectively, we define the system of 
normal nodes by 

D [x N [t]} = U {t) {t,x M ,x A ), x N [0] E R N ,V a{t) E F n , (1) 

where f a (t)(-) = [/v(t)(0» • • • » fN,*(t)(-)] T - Each of the functions fi, a (t)(-) can be arbitrary]] 
and may be different for each node, depending on its role in the network. These functions are 
designed a priori so that the normal nodes reach consensus. However, some of the nodes may 
not follow the prescribed strategy if they are compromised by an adversary. Such misbehaving 
nodes threaten the group objective, and it is important to design the /i )(T (t)(-)'s in such a way 
that the influence of such nodes can be eliminated or reduced without prior knowledge about 
their identities. 

B. Threat Model 

Definition 1: A node k E A is, said to be malicious if 



'Throughout this paper we refer to a node's value and state interchangeably. 

4 In continuous time, f a (t){') must satisfy appropriate assumptions to ensure existence of solutions. 



• it is not normal (i.e., it does not follow the prescribed update model either for at least 
one time-step in discrete time, or for some time interval of nonzero Lebesgue measure in 
continuous time); 

• it conveys the same value, Xk[t], to each out-neighbor; 

• (for continuous-time systems) its value trajectory, Xk[t] Vi, is a uniformly continuous func- 
tion of time on [0, oo). 

A few remarks are in order concerning malicious nodes. First, each malicious node is allowed 
to be omniscient (i.e., it knows all other values and the full network topology; it is aware of the 
update rules /i )CT (t)(-), Vi G A/"; it knows which other nodes are adversaries; and it knows the 
plans of the other adversaries). The statement in the definition that the malicious nodes are not 
normal is intended to capture the idea that they do not apply the prescribed update rule for all 
time. The second assumption is intended as an assertion on the network realization. That is, if 
the network is realized through sensing or broadcast communication, it is assumed that the out- 
neighbors receive the same information. The third point is a technical assumption that applies 
only to malicious nodes modeled in continuous time. Limited only by these assumptions, the 
malicious nodes are otherwise allowed to operate in an arbitrary (potentially worst case) manner. 

C. Scope of Threats 

While there are various stochastic models that could be used to formalize the threat as- 
sumptions, here we use a deterministic approach and consider upper bounds on the number of 
compromised nodes either in the network (F-total) or in each node's neighborhood (F-local). 

Definition 2 ( F -total set): A set S C V is F-total if it contains at most F nodes in the 
network, i.e., |«S| < F, F G Z> . 

Definition 3 {F -local set): A set S C V is F-local if it contains at most F nodes in the 
neighborhood of the other nodes for all t, i.e., \Vi\t] P|«S| < F, Vi G V \ S, F G Z> . 

It should be noted that because the network topology may be time-varying, the local properties 
defining an F-local set must hold at all time instances. These definitions facilitate the definitions 
of the scope of threat models. 

Definition 4: A set of adversary nodes is F-totally bounded or F-locally bounded if it is 
an F-total set or F-local set, respectively. We refer to these threat scopes as the F-total and 
F-local models, respectively. 



Note that whenever the set of A adversary nodes A is F-totally bounded, we know A < F. 
On the other hand if A is F-locally bounded, it is possible that A > F. Indeed, there is no upper 
bound for F-locally bounded A since it is feasible that many adversaries may not be neighbors 
with any of the normal nodes over time. As a matter of terminology, we will refer to the threat 
model consisting of F-totally (or F-locally) bounded malicious nodes as the F-total malicious 
model (or F-local malicious model). The F-total fault model has been studied in distributed 
computing 031, ll20l . Il32l and mobile robotics [HI, 0, [[H for both stopping (or crash) failures 
and Byzantine failures. The F-local fault model has been studied in the context of Byzantine 
fault-tolerant broadcasting [Q2), [|24|. 

D. Resilient Asymptotic Consensus 

Given the threat model and scope of threats, we formally define resilient asymptotic consensus. 
Let M[t] and m[t] be the maximum and minimum values of the normal nodes at time t, 
respectively. 

Definition 5 (Resilient Asymptotic Consensus): The normal nodes are said to achieve resilient 
asymptotic consensus in the presence of (a) F-totally bounded, or (b) F-locally bounded 
misbehaving nodes if 

• 3L E E such that lim^oo Xi[t] = L for all i E A/", and 

• [m[0], M[0]] is an invariant set (i.e., the normal values remain in the interval for all t), 
for any choice of initial values. Whenever the scope of threat is understood, we simply say that 
the normal nodes reach asymptotic consensus. 

The resilient asymptotic consensus problem has three important conditions. First, the normal 
nodes must reach asymptotic consensus in the presence of misbehaving nodes given a particular 
threat model (e.g., malicious) and scope of threat (e.g., F-total). This is a condition on agreement. 
Additionally, it is required that the interval containing the initial values of the normal nodes is an 
invariant set for the normal nodes; this is a safety condition. This safety condition is important 
when the current estimate of the consensus value is used in a safety critical process and the 
interval [m[0], M[0]] is known to be safe. The agreement and safety conditions, when combined, 
imply a third condition on validity: the consensus quantity that the values of the normal nodes 
converge to must lie within the range of initial values of the normal nodes. 



The validity condition is reasonable in applications where any value in the range of initial 
values of normal nodes is acceptable to select as the consensus value. For instance, consider a 
large sensor network where every sensor takes a measurement of its environment, captured as a 
real number. Suppose that at the time of measurement, all values taken by correct sensors fall 
within a range [a, b], and that all sensors are required to come to an agreement on a common 
measurement value. If the range of measurements taken by the normal sensors is relatively 
small, it will likely be the case that reaching agreement on a value within that range will 
form a reasonable estimate of the measurements taken by all sensors. However, if a set of 
malicious nodes is capable of biasing the consensus value outside of this range, the error in the 
measurements could be arbitrarily large. 

More generally, suppose the nodes are trying to distributively minimize h>i(0), where each 
of the hi's is a local convex function and 6 is the optimization variable. If the initial value of 
each node i represents the value of 9 that minimizes hi, a convex combination of these initial 
values will represent an estimate of the optimal 9, within some bounded error. On the other 
hand, if an adversary is capable of biasing the consensus value arbitrarily, the resulting value 
of the objective function will also be arbitrarily far away from its minimum value. One can 
formulate similar motivating examples for the validity condition in other applications as well; 
for instance, a swarm of robots that are trying to flock should not be pulled in arbitrary directions 
by a malicious agent in the network. 



Linear consensus algorithms have attracted significant interest in recent years [J22), [|26l . due 
to their applicability in a variety of contexts. In such strategies, at time t, each node senses or 
receives information from its neighbors, and changes its value according to 



where is the weight assigned to node j's value by node i at time t. 

Different conditions have been reported in the literature to ensure asymptotic consensus is 
reached |fl3l . [EH, ll25l . ll3D . Il33l . In discrete time, it is common to assume that there exists a 



III. CONSENSUS ALGORITHM 




(2) 



constant a e 1, < a < 1 such that all of the following conditions holdtl 
. Wij[t] = whenever j E" Ji[t], i E M, t E Z> ; 

• Wij[t] > a, Vj E Vi[t],i E TV, t E Z> ; 

• wu[t] > a - 1, Vz E N, t E Z> ; 

• E"=i Wij[t] = 0, \/i E AT, t E Z> . 

In continuous time there are similar conditions, except in this case the self-weights are given 

by 

j"eVi[t] 

In this case, the weights must be piecewise continuous and uniformly bounded. That is, there 
exists (3 E M>o, /3 > a, such that < f3, for all i,j E ftf and t E K>o. Similar to the discrete 
time case, the weights Wij[t] are zero precisely whenever j £ Ji[t], and bounded below by a 
otherwise. Together, these conditions imply the analogue of the fourth condition above. 

Given these conditions, a necessary and sufficient condition for reaching asymptotic consensus 
in time-invariant networks is that the digraph has a rooted out-branching, also called a rooted 
directed spanning tree [|26l . The case of dynamic networks is not quite as straightforward. In this 
case, under the conditions stated above, a sufficient condition for reaching asymptotic consensus 
is that there exists a uniformly bounded sequence of contiguous time intervals such that the 
union of digraphs across each interval has a rooted out-branching ll25l . Recently, a more general 
condition referred to as the infinite flow property has been shown to be both necessary and 
sufficient for asymptotic consensus for a class of discrete- time stochastic models |[30ll . Finally, 
the lower bound on the weights is needed because there are examples of asymptotically vanishing 
weights in which consensus is not reached |[T9l . 

In general, the problem of selecting the best weights in the linear update rule © is nontrivial, 
and the choice affects the rate of consensus. The problem of selecting the optimal weights 
(with respect to the speed of the consensus process) in time-invariant, discrete-time, bidirectional 
networks is addressed in [33] by formulating a semidefinite program (SDP). However, this SDP is 
solved at design time with global knowledge of the network topology. A simple choice of weights 



5 The conditions on the weights are modified from what is reported in the literature to account for the forward difference 
operator. Accounting for this, the updated value of each node is formed as a convex combination of the neighboring values and 
its own value. 



for discrete-time systems that requires only local information is to let Wij[t] = 1/(1 + di[t\) for 
j G Vi[t] and Wu[t] = —di[t]/(l + In continuous time, a simple choice is to let = 1 

for j e Vi[t] and w u [t] = -d^t]. 

One problem with the linear update given in (0 is that it is not resilient to misbehaving 
nodes. In fact, it was shown in ifTOl . iTPl that a single 'leader' node can cause all agents 
to reach consensus on an arbitrary value of its choosing (potentially resulting in a dangerous 
situation in physical systems). 

The Adversarial Robust Consensus Protocol (ARC-P) addresses this vulnerability of the linear 
update of © by a simple modification. Instead of trusting every neighbor by using every value 
in the update, the normal node first removes the extreme values from consideration in the update 
by effectively setting their weights (temporarily) to zero. It is be shown in subsequent sections 
that this simple strategy provides resilience against malicious nodes in robust networks. 

A. Description of ARC-P 

At time t, each normal node i obtains the values of other nodes in its neighborhood. At most 
F of node i's neighbors may be malicious; however, node i is unsure of which neighbors may be 
compromised. To ensure that node i updates its value in a safe manner, it removes the extreme 
values with respect to its own value according to the following protocol. 

1) At time t, each normal node i obtains the values of its neighbors, and forms a sorted list. 

2) If there are less than F values strictly larger than its own value, Xi[t], then normal node i 
removes all values that are strictly larger than its own. Otherwise, it removes precisely the 
largest F values in the sorted list (breaking ties in a deterministic manner; e.g., by keeping 
the values of the nodes with the smaller unique identifiers in X). Likewise, if there are less 
than F values strictly smaller than its own value, then node i removes all values that are 
strictly smaller than its own. Otherwise, it removes precisely the smallest F values. 

3) Let lZi[t] denote the set of nodes whose values were removed by normal node i in step 2 
at time t. Each normal node i applies the update 



where the weights Wij[t] satisfy the conditions stated above, but with Ji\t] replaced by 





(3) 



jeJi[t]\Ki[t] 



Ji\t] \ Hi[t}u Note that if all neighboring values are removed, then = 0. 

As a matter of terminology, we refer to the bound on the number of larger or smaller values 
that could be thrown away as the parameter of the algorithm. Above, the parameter of ARC-P 
under the F-local and F-total models is F. 

Observe that the set of nodes removed by normal node i, TZi[t], is possibly time- varying. 
Hence, even though the underlying network topology may be fixed, ARC-P effectively induces 
switching behavior, and can be viewed as the linear update of (0 with a specific rule for state- 
dependent switching (the rule given in step 2). 

B. ARC-P in Continuous Time 

The previous section outlined the steps taken in ARC-P to remove the influence of nodes with 
extreme values. In order to analyze © for existence and uniqueness of solutions in continuous 
time, it is useful to express ARC-P as a composition of functions. For this, we require the 
following definitions. 

Definition 6: Let k E N and F E Z> . Denote the elements of vectors R k by £j, wi, 

and zi, respectively, for / = 1, 2, . . . , k. Then: 

(i) The (ascending) sorting function on k elements, p k : R k — > R k , is defined by £ = Pk(z) 
such that £ is a permutation of z which satisfies 

£i < £ 2 < • • • < £ fe ; (4) 

(ii) The weighted zero-selective reduce function with respect to F and k, r§ F : R*xM fc ->l, 

is defined by ©, where l>o(a) and l<o(«) are indicator functions, and the weights are 
uniformly bounded by < a < wi < (3, V/. 

(iii) The composition of the sorting and weighted zero- selective reduce functions with respect 
to F and k is defined by <p F : R k x R k — > R, which is defined for all z E R k and wei' 
such that < a < w t < (3 by 

(j) k F (z,w) = r k F (p k (z),w). 

6 In this case, a simple choice for the weights in discrete time is to let Wij[t] — 1/(1 + di[t] — \lZi[t]\) for j £ Vi[t] and 
wu[t] = (| 'Kilt] | — dj[t])/(l + di[t] — \Hi[t]\). In continuous time, let Wij = 1 for j G Vt[t] and Wu[t] = \TZi[t] \ — di\t\. 



YaLi Wil> (zi)zi + Ya=f+i w i z i + Y.Lk-F+i wil< {zi)zi k > 2F; 



r^ F {z,w) 



F < k < 2F; (5) 
k < F; 



Then, the update rule of ARC-P for each normal node i E M for t E M>o is given by 

fi,<r(t)(t,XM,x A ) = <j)p [t] (Ji[t](x[i\ -Xi[t]l n ),Wi[t]), (6) 

in which x[t] = [xjf[t], x\[t\] T E W l and l n E W 1 is the vector of ones. The time-varying weight 
vector 

Wi[t] = [w iil[t] [t],w ii2[t] [t], Wii d . lt] [t][t]} r , 

satisfies the bound < a < wa^t] < ft for all j = 1,2,..., di[t], where ii[t], ^[t], • • • , ^[t]^] are 
the node indices of the neighbors of node i in the order determined by the sorting function at 
time t (i.e., according to © such that the weights match the corresponding neighbor). Finally, 
Ji[t] E IR( di M) xn is a sparse matrix with each row corresponding to a distinct j E Vi[t] such 
that each row has a single 1 in the j-th column. Thus, there is a one-to-one correspondence 
between j E Vi[t] and rows in Jj[t]. These terms are defined so that © is equivalent to © for 
all t E M>o- 

1 ) Existence and Uniqueness of Solutions: As a first step toward showing existence and 
uniqueness of solutions, we show that © satisfies a Lipschitz condition for all i E M. 

Definition 7: Let || • || denote any norm defined on a Euclidean space, and let g(t,x,u), 
g: lxR"xMM M. q , be a piecewise continuous function in t and u. Then g satisfies a global 
Lipschitz condition with Lipschitz constant L if the following condition holds for all z,y E W 1 , 
t E R: 

\\g(t,z,u) - g(t,y,u)\ \ < L\\z - y\\. 

Theorem 1: The function f a (t)(t, xjs, x a) = fa(t){t, x) that defines the dynamics of the normal 
nodes, with fi :0 -{t)(-) defined in ©, satisfies a global Lipschitz condition in and x. 

Proof: Because the weights are piecewise continuous and the switching signal is piecewise 
constant, it follows that f a (t)(t,x) is piecewise continuous in t. We first show that f a (i){t,x) 



satisfies a Lipschitz condition in x by showing that the component functions f^ a rt) (£> x ) do. For 
this, fix t £ M>o, -P 1 £ Z> , di[t] = k, and = w. The argument to (f)p(-, w) is linear and the 
sorting function is Lipschitz, as shown in [[Toll . Hence, all there is to show is that the weighted 
zero- selective reduce function with respect to F and k is Lipschitz. Fix z,y £ M. k . The key 
observation is that 

l>o{zi)zi - l> (yi)yi < \z t - y t \, 

for each / = 1,2, ... ,k, which is trivial to show by checking the four cases depending on the 
signs of zi and yi. Since < a < wi < (3, it follows that 

wil> (zi)z l - wil> {yi)yi < (3\z t - 

Likewise, the inequality holds when the indicator function is l<o( - ) instead of 1> (-). Combining 
this with the triangle inequality, it is straightforward to show using the Manhattan norm that 
Tq F is Lipschitz with Lipschitz constant (3. Finally, we show f a (t)(t, Xjs, xa) satisfies a Lipschitz 
condition in x^. Fix y, z £ ~El N and note that the malicious nodes' trajectories are uniformly 
continuous in time by assumption (and therefore f a u\ (t, xj^, x X) is piecewise continuous in time). 
Since, there exists a global Lipschitz constant for x, denoted L, we know 

1 1 fa(t) (t, y,x A )- f a(t) (t, z, x A ) 1 1 
< L 



y 



z 

XA 



L \\y - A 



Since we assume that a(t) is piecewise constant, x A is piecewise continuous (in fact we assume 
it is uniformly continuous on [0, oo)), and the weights are piecewise continuous, it follows that 
f a (t)(t,XN,XA) defined by (UJ) with component functions given in © is piecewise continuous 
in t. Theorem Q] shows that f a (t){') is Lipschitz in x^f. We show next in Lemma Q] that f a (t){') 
is bounded by the current normal values xjf[t] for t E K>o. From these facts, we conclude the 
local existence and uniqueness of solutions of © for all % E J\f. Then, we show in Lemma [2] 
that any solution is confined to a compact set, from which we conclude global existence and 
uniqueness of solutions of © for all i E Af. 

Lemma 1: Consider the normal node i E M with continuous dynamics executing ARC-P with 
parameter F E Z> and assume there are at most F adversary nodes in its neighborhood at time 



t. Then, for each t £ M>o 

B(m[t] - Xi [t]) < f i>a{t) (x M ,x A ) < B{M[t]- Xi [i\), 

where B = /3(n — F — 1), m[t] = mhXj e j^{xj[t]}, and M[t) = max kejK f{x k [t}}. 

Proof: If di[t] < F, or if F < di[t] < 2F and there are at most F neighbors with larger and 
smaller values than Xi[t], then fi,a(t)(t,xj^,x A ) — 0, and the result follows. Therefore, assume 
di[t] > F and at least one value not equal to Xi[t] is used in the update at time t, say Xj[t]. 
Suppose Xj[t] > M[t]. Then, by definition j must be an adversary and Xj[t] > Xi[t]. Since i uses 
Xj [t] at time t, there must be at least F more nodes in the neighborhood of i with values at least 
as large as Xj[t}. Hence, these nodes must also be adversaries, which contradicts the assumption 
of at most F adversary nodes in the neighborhood of i at time t. Thus, Xj[t] < M[t\. Similarly, 
we can show that Xj[t] > m[t}. By combining the fact that there are at most n — 1 neighbors of 
i, at least F values will be removed (since di[t] > F), and Wij[t] < (3 for all j E Vi[t], it follows 
that 

B(m[t] - Xi [t]) < ViAAM*] ~ X S}) < B(M[t] - Xi [t}). 

jeVi[t]\Hi[t] 

U 

Observe that Lemma \T\ holds under both the F-total and F-local models, and bounds f a (t)(') 
as a function of the total number of nodes n, the upper bound on the number of adversaries 
in the neighborhood of any normal node F, and the current state of the normal node values 
£/v[t]. The next result shows that for any solution of (Q3, the hypercube T-L , which is given by 
[m[0], M [0]] N , is a robustly positively invariant set (defined as follows). 

Definition 8: The set S C M. N is robustly positively invariant for the system given by (0Q) 
if for all xjy[0] e S, x^[t] e M A , any solution satisfies x_\f[t] £ S for all t > 0. 

Lemma 2: Suppose the normal nodes in J\f have continuous dynamics and use ARC-P with 
parameter F £ Z> under the F-local or F-total malicious model. Then, the hypercube H — 
[m[0], M[0]] N defined by 

n = {yeR N : m[0] < Vi < M[0], i = 1, 2, . . . , N}, 

is robustly positively invariant for the system of normal nodes. 

Proof: Since Ho is compact and any solution of © using © is continuous with x_^[0] £ 
T-Lq, we must show that f a (t)(-) is not directed outside of Ho, whenever Xj^[t] £ dHo, for all 



D a (t) G T n and all allowable trajectories of x^. The boundary of H is given by 

dn = {y G H : 3i G {1, 2, . . . , TV} s .t. ^ e {m[0], M [0]}}. 

Now, fix € dHo for some t G R>o. Let denote the j-th canonical basis vector and 
denote X^min, X/v",max Q {1, 2, . . . , iV} as the sets defined by 

j G X^min <^ Xj = m[0] and k G Jjv^ub a* = Af[0]. 
Then, from the geometry of the hypercube, we require 

ej/(r(t) (*, ^Af , au) > V j G X^min, 

These conditions are true for all T> a M G T n and x_a under the F-local or F-total models by 
Lemma [H in which the lower bound is used for j G X^ ;mm (since Xj = m[0]), and the upper 
bound is used for k G X\f, max (since x fc = M[0]). ■ 
The argument made in Lemma \T\ implies that any time an adversary under the F-total or 
F-local model is outside of X t = [m[t],M[t]], its influence is guaranteed to be removed by its 
normal neighbors, and therefore has the same effect as if it were on the boundary of X t . Using 
Lemma |2] we conclude X t C X , Vt > 0. Hence, each adversary is effectively restricted to the 
compact set X , with respect to ©• This fact enables us to allow adversary states in ~R A rather 
than explicitly restricting them to a compact set, while still ensuring existence and uniqueness 
of solutions. 

Corollary 1: Given the choice of bounded, piecewise continuous, time- varying weights, piece- 
wise constant switching signal, and adversaries (i.e., adversary value trajectories) that satisfy the 
X-local or X-total malicious model, the system of normal nodes defined by (OQ) with component 
functions given in © has a unique solution for all t > and for any xj^[0] G R N . 

IV. ROBUST NETWORK TOPOLOGIES 

A. Network Robustness 

In this section, we introduce robust network topologies that satisfy certain graph theoretic 
properties, which we refer to generically as network robustness. Network robustness formalizes 
the notion of sufficient redundancy of information flow to subsets of a network in a single 



Fig. 1. Example of a 5-connected graph satisfying Prop. Q] whenever F = 2. 

hop. Therefore, this property holds promise to be effective for the study of resilient distributed 
algorithms that use only local information. In contrast, network connectivity formalizes the 
notion of sufficient redundancy of information flow across the network through independent 
paths. Due to the fact that each independent path may include multiple intermediate nodes, 
network connectivity is well-suited for studying resilient distributed algorithms that assume such 
nonlocal information is available (for example, by explicitly relaying information across multiple 
hops in the network Il20l . or by 'inverting' the dynamics on the network to recover the needed 
information ll23l . [|2~9l0 . However, network connectivity is no longer an appropriate metric for 
an algorithm that uses purely local information, such as ARC -P. This is demonstrated by the 
following proposition fl34l . 

Proposition 1: There exists a graph with connectivity k = |_§ J + F — 1 in which ARC-P does 
not ensure asymptotic consensus. 

Figure CD illustrates an example of this kind of graph with n = 9, F = 2, and k = 5. In 
this graph, there are two cliques (complete subgraphs), X = K A and Y = K 5 , where K n is 
the complete graph on n nodes. Each node in X has exactly F = 2 neighbors in Y, and all 
but two nodes in Y have F = 2 neighbors in X (nodes 5 and 9 have only one neighbor in 
X, because otherwise a node in X would have more than F = 2 neighbors in Y). One can 
see that if the initial values of nodes in X and Y are a E R and b E R, respectively, with 
a ^ b, then asymptotic consensus is not achieved whenever ARC-P is used with parameter F - 
even in the absence of misbehaving nodes. This is because each node views the values of its F 
neighbors from the opposing set as extreme, and removes all of these values from its list. The 



only remaining values for each node are from its own set, and thus no node ever changes its 
value. 

The situation can be even worse in the more general case of digraphs. Examples of digraphs 
are illustrated in |[T8l that are (n — l)-connected and have minimum out-degree n — 2, yet 
ARC-P still cannot guarantee asymptotic consensus. Thus, even digraphs with a relatively large 
connectivity (or minimum out-degree) are not sufficient to guarantee consensus of the normal 
nodes, indicating the inadequacy of these traditional metrics to analyze the convergence properties 
of ARC-P. Taking a closer look at the graph in Fig. [Q we see that the reason for the failure 
of consensus is that no node has enough neighbors in the opposite set; this causes every node 
to throw away all useful information from outside of its set, and prevents consensus. Based on 
this intuition, the following properties, i.e., r-reachable sets and r-robustness, were introduced 
in OH. 

Definition 9 (r-reachable set): Given a digraph V and a nonempty subset S of nodes of V, 
we say S is an r-reachable set if 3i £ S such that |Vj \ S\ >r, where r e Z> . 

A set S is r-reachable if it contains a node that has at least r neighbors outside of S. The 
parameter r quantifies the redundancy of information flow from nodes outside of S to some 
node inside S. Intuitively, the r-reachability property captures the idea that some node inside 
the set is influenced by a sufficiently large number of nodes from outside the set. The above 
reachability property pertains to a given set S; in order to generalize this notion of redundancy 
to the entire network, we introduce the following definition of r-robustness. 

Definition 10 (r-robustness): A nonempty, nontrivial digraph V = {V, £} on n nodes (n > 2) 
is r-robust, with r £ Z> , if for every pair of nonempty, disjoint subsets of V, at least one of 
the subsets is r-reachable. By convention, if V is empty or trivial (n < 1), then V is 0-robust. 
The trivial graph is also 1 -robust. 

The reason that pairs of nonempty, disjoint subsets of nodes are considered in the definition 
of r-robustness can be seen in the example of Fig. [T] If either X or Y were 3-reachable (r = 
F + l = 3), then at least one node would be sufficiently influenced by a node outside of its set in 
order to drive it away from the values of its group, and thereby lead its group to the values of the 
other set. However, if there are misbehaving nodes in the network, then the situation becomes 
more complex. For example, consider the F-total model of malicious nodes, and consider two 
sets X and Y in the graph. Let s be the total number of nodes in these two sets that each have 



at least F + 1 neighbors outside their own set. If s < F, then simply by choosing these nodes 
to be malicious, the sets X and Y contain no normal nodes that bring in enough information 
from outside, and thus the system can be prevented from reaching consensus. This reasoning 
suggests a need to specify a minimum number of nodes that are sufficiently influenced from 
outside of their set (in this example, at least F + 1 nodes). This intuition leads to the following 
generalizations of r-reachability and r-robustness. 

Definition 11 ((r, s)-reachable set): Given a digraph V and a nonempty subset of nodes S, 
we say that S is an (r, s)-reachable set if there are at least s nodes in S with at least r neighbors 
outside of S, where r, s E Z> ; i.e., given X$ — {i E S: |Vj \ <S| > r}, then \X$\ > s - 

Observe that r-reachability is equivalent to (r, 1) -reachability; hence, (r, s) -reachability is a 
strict generalization of r-reachability. If a set S is (r, s) -reachable, we know there are at least s 
nodes in S with at least r neighbors outside of S. Thus, if S is (r, s) -reachable, then it is (r, s')- 
reachable, for s' < s. Also, it is clear that s < \S\ and all subsets of nodes of any digraph are 
(r, 0)-reachable. The additional specificity on the number of nodes with redundant information 
flow from outside of their set is useful for defining a more general notion of robustness. 

Definition 12 ((r, s)-robustness): A nonempty, nontrivial digraph V = {V,S} on n nodes 
(n > 2) is (r, s)-robust, for nonnegative integers r e Z> , 1 < s < n, if for every pair of 
nonempty, disjoint subsets Si and S 2 of V such that Si is (r, s rj i) -reachable and S 2 is (r, s rj2 )- 
reachable with s r i and s r2 maximal (i.e., = \Xs k \ where Xs k — {i G Sk- |Vj \«Sfc| > r} for 
A; G {1, 2}), then at least one of the following hold: 

(i) s r,i — \Si | ; 

(ii) Sr,2 = |«5 2 |; 

(iii) s Ti i + s r>2 > s. 

By convention, if V is empty or trivial (n < 1), then V is (0,l)-robust. If V is trivial, P is also 
(l,l)-robust. 

A few remarks are in order with respect to this definition. The definition of (r, s)-robustness 
aims to capture the idea that enough nodes in every pair of nonempty, disjoint sets Si,S 2 C V 
have at least r neighbors outside of their respective sets. To quantify what is meant by "enough" 
nodes, it is necessary to take the maximal s r ^ for which Sk is (r, s r fc ) -reachable for k E {1,2} 
(since S k is (r, s' r k ) -reachable for s' rk < s r fe ). Since s r fe = \X Sk \, condition (z) or (ii) means 
that all nodes in Sk have at least r neighbors outside of Sk- Given a pair Si,S 2 C V such that 



Fig. 2. A 3-robust graph that is not (3,2)-robust. 



< |«Si| < r and S 2 = V\ S\, there can be no more than |<Si| nodes with at least r neighbors 
outside of their set. Hence, conditions (i) and (ii) quantify the maximum number of nodes 
with at least r neighbors outside of their set for such pairs, and must therefore be "enough". 
Alternatively, if there are at least s nodes with at least r neighbors outside of their respective sets 
in the union <Si U <S 2 , then condition (Hi) is satisfied. For such pairs Si, S 2 C V, the parametej^ 

1 < s < n quantifies what is meant by "enough" nodes. 

An important observation is that (r, l)-robustness is equivalent to r-robustness. This holds 
because conditions (i) — (Hi) for (r, l)-robustness collapse to the condition that at least one of 
«Si and S 2 is r-reachable. In general, a digraph is (r, s')-robust if it is (r, s)-robust for s 1 < s; 
therefore, a digraph is r-robust whenever it is (r, s) -robust. The converse, however, is not true. 
Consider the graph in Fig. |2] This graph is 3-robust, but is not (3, 2)-robust. For example, let 
«Si = {1,3,5,6,7} and S 2 = {2,4}. Thus, only node 2 has at least 3 nodes outside of its set, 
so all of the conditions (i) — (Hi) fail. Therefore, (r, s)-robustness is a strict generalization of 
r-robustness. 

Next, consider again the example of Fig. [T] It can be shown that this graph is (2, s)-robust, 
for all 1 < s < n = 8. This follows because all nodes in at least one of the sets S\ and S 2 has 
at least 2 neighbors outside of their set, for any nonempty and disjoint S\,S 2 C V. Therefore, 
condition (Hi) in Definition [T2] is never needed, and the definition is satisfied with r = 2 for all 

7 Note that s = is not allowed in (r, s)-robustness because in that case any digraph on n > 2 nodes satisfies the definition 
for any r 6 Z>o, which subverts the interpretation of the parameter r. At the other extreme, the maximal meaningful value of 
s is s = n since condition (iii) can never be satisfied with s > n. 



valid values of s. 

On the other hand, the graph in Fig. [T]is not 3-robust. This can be shown by selecting S± = X 
and S 2 = Y. Note that an (r, s)-robust digraph is (r f , s)-robust for r' < r. The question then 
arises, how does one compare relative robustness between digraphs? Clearly, if digraph T> x is 
(ri, si)-robust and digraph V 2 is (r 2 , s 2 )-robust with maximal and Sk for k E {1,2}, where 
7*1 > r 2 and Si > s 2 , then one can conclude that T>i is more robust than V 2 . However, in 
cases where r\ > r 2 but si < s 2 , which digraph is more robust? For example, the graph of 
Fig. [His (2, s)-robust for all 1 < s < n = 8, but is not 3-robust, whereas the graph in Fig. [2] 
is 3-robust, but is not (2,5)-robust (e.g., let Si = {1,5,6} and S 2 = {2,3,4}). In general, the 
r-robustness property takes precedence in the partial order that determines relative robustness, 
and the maximal s in (r, s)-robustness is used for finer grain partial ordering (i.e., ordering the 
robustness of two r-robust digraphs with the same value of r). Therefore, the graph in Fig. |2] 
is more robust than the graph of Fig. [T] Yet, the graph of Fig. |2] is only 3-connected, whereas 
the graph of Fig. [His 5-connected. Hence, it is possible that a digraph with less connectivity is 
more robust. 

We demonstrate in Section [V] that the r-robustness property is useful for analyzing ARC-P 
with parameter F under the F-local model, and show that (r, s)-robustness is the key property 
for analyzing ARC-P with parameter F under the F-total model. More specifically, we show 
that (F + 1, F + l)-robustness of the network is both necessary and sufficient for normal nodes 
using ARC-P with parameter F to achieve resilient asymptotic consensus whenever the scope 
of threat is F-total, the threat model is malicious, and the network is time-invariant. Likewise, 
we show that (2F + l)-robustness of the network is sufficient for ARC-P with parameter F to 
achieve resilient asymptotic consensus whenever the scope of threat is F-local. 

B. Construction of Robust Digraphs 

Note that robustness requires checking every possible nonempty disjoint pair of subsets of 
nodes in the digraph for certain conditions. Currently, we do not have a computationally efficient 
method to check whether these properties hold in arbitrary digraphs. However, in [1341 it is shown 
that the common preferential-attachment model for complex networks (e.g., [{23) produces r- 
robust graphs, provided that a sufficient number of links are added to the network as new nodes 
are attached. In this subsection, we extend this construction to show that preferential-attachment 



also leads to (r, s)-robust graphs. 

Theorem 2: Let V = {V, £} be a nonempty, nontrivial (r, s)-robust digraph. Then the digraph 
V = {V U {v new }, £ U £ new }, where v new is a new vertex added to V and £ new is the directed 
edge set related to v new , is (r, s)-robust if d Unem > r + s — 1. 

Proof: For any pair of nonempty, disjoint sets S\ and S 2 , there are three cases to check: 
"^new ^ 5j , {fnew} = Si and v new & Si, i € {1, 2}. In the first case, since £> is (r, s)-robust, the 
conditions in Definition [[2] must hold. In the second case, Xs t = Si, and we are done. In the 
third case, suppose, without loss of generality, S 2 = S^U {v aev/ } . Since V is (r, s)-robust, at least 
one of the following conditions hold: s r> \ + s' r2 > s, s rj i = \S±\, or s' r2 = \S 2 \. If either of the 
first two hold, then the corresponding conditions hold for the pair S\,S 2 in V. So assume only 
s' r2 = \S' 2 \ holds. Then, the negation of the first condition s r l + s' r 2 > s implies s' r2 = \S' 2 \ < s. 
Hence, \V Vnew \ S 2 \ > r, and s r ^ 2 = \S 2 \, completing the proof. ■ 

The above result indicates that to construct an (r, s)-robust digraph with n nodes (where 
n > r), we can start with an (r, s)-robust digraph with relatively smaller order (such as a 
complete graph), and continually add new nodes with incoming edges from at least r + s — 1 
nodes in the existing digraph. Note that this method does not specify which existing nodes 
should be chosen. The preferential-attachment model corresponds to the case when the nodes 
are selected with a probability proportional to the number of edges that they already have. This 
leads to the formation of so-called scale-free networks 0, and is cited as a plausible mechanism 
for the formation of many real- world complex networks. Theorem |2] indicates that a large class of 
scale-free networks are resilient to the threat models studied in this paper (provided the number 
of edges added in each round is sufficiently large when the network is forming). 

For example, Fig. |3] illustrates a (3, 2)-robust graph constructed using the preferential attach- 
ment model starting with the complete graph on 5 nodes, K 5 (which is also (3,3)-robust and is 
the only (3,2)-robust digraph on 5 nodes), and with 4 new edges added to each new node. Note 
that this graph is also 4-robust, which could not be predicted from Theorem |2] since K 5 is not 
4-robust. Therefore, it is actually possible (but not guaranteed) to end up with a more robust 
digraph than the initial one using the preferential-attachment growth model. 



Fig. 3. A (3, 2)-robust graph constructed from A'5 using preferential attachment. 



V. RESILIENT CONSENSUS RESULTS 

In this section, we provide the key results showing that sufficiently robust digraphs guarantee 
resilient consensus. We begin with the following result showing that ARC-P always satisfies the 
safety condition for resilient asymptotic consensus. Recall that M[t] and m[t] are the maximum 
and minimum values of the normal nodes at time t, respectively. 

Lemma 3: Suppose each normal node updates its value according to ARC-P with parameter 
F under the F-total or F-local malicious model. Then, for each normal node i E J\f, Xi[t] e 
[m[0],M[0]] for all t, regardless of the network topology. 

Proof: The proof for discrete time is straightforward and follows directly from the definitions 
and the fact that the values in Ji[t] \ TZi[t] used in the ARC-P update rule lie in the interval 
[m[t\, M[t\] and the update rule in © is a convex combination of these values. For continuous 
time, we have proved this in Lemma |2l ■ 
An immediate consequence of Lemma [3] is that M[-] is nonincreasing with time, and m[] is 
nondecreasing with time. From this, it follows that the Lyapunov candidate ty[t] = M[t] — m[t] 
is nonincreasing with time. In the following sections, we show that this Lyapunov function 
decreases over sufficiently large time intervals whenever the normal nodes update their values 
according to ARC-P, provided the network is sufficiently robust. 



A. F -Total Model 

Theorem 3: Consider a time-invariant network modeled by a directed graph V = {V, £} 
where each normal node updates its value according to ARC-P with parameter F. Then, resilient 



asymptotic consensus is achieved under the F-total malicious model if and only if the network 
topology is (F + 1, F + l)-robust. 

Proof: (Necessity) If V is not (F + 1,F + 1) -robust, then there are nonempty, disjoint 
Si,S 2 C V such that none of the conditions (i) — (Hi) hold. Suppose the initial value of each 
node in Si is a and each node in S 2 is b, with a < b. Let all other nodes have initial values 
taken from the interval (a, b). Since sf+i,i + s.F+1,2 < F, suppose all nodes in X$ 1 and X$ 2 are 
malicious and keep their values constant. With this assignment of adversaries, there is still at 
least one normal node in both «Si and S 2 since sp+i,i < \Si\ and s F +i,2 < |«S 2 |, respectively. 
Since these normal nodes remove the F or less values of in-neighbors outside of their respective 
sets, no consensus among normal nodes is reached. 

(Sufficiency) [Continuous Time] We know from Lemma |3] that both M[] and m[-] are 
monotone and bounded functions of t, and therefore each of them has a limit, denoted by 
Am and A m , respectively. Note that if Am — A m , then the normal nodes will achieve resilient 
asymptotic consensus. We will prove by contradiction that this must be the case. The main 
idea behind the proof is to use the gap between Am and A m and combine this with both the 
uniform continuity assumption on the malicious nodes' value trajectories and a careful selection 
of subsets of nodes to show that will shrink to be smaller than the gap A M — A m in 
finite time (a contradiction). To this end, suppose that A M 7^ A m (note that A M > A m by 
definition). Since M[t] — > Am monotonically, we have M[t] > Am for all t > 0. Similarly, 
m[t] < A m for all t > 0. Moreover, for each e > there exists t e > such that M[t] < A M + e 
and m[t] > A m — e, Vt > t e . Next, define constant e = (A M — A m )/A > 0, which satisfies 
M[t] — e > m[t] + eo + (Am — A m )/2. This inequality informs the choice of subsets of nodes 
to be defined shortly in order to limit the influence of the malicious nodes. Indeed, since the 
adversary trajectory x fc is uniformly continuous on [0, 00) for k 6 A, it follows that for each 
v > 0, there exists 5k(v) > such that \xk[ti) — Xk[h]\ < v whenever \t\ — 1 2 \ < 6k(v). Define 
5(u) = mm keA {S k (u)}. 

Next, we define the sets of nodes that are vital to the proof. For any t > 0, t > t Q , A > 0, 
and 77 > 0, define 

X M (t,t ,A,r))={i e V: 3t' e [t,t + A] s.t. Xi [lf] > M[t ] -77} 



and 

X m (t, t , A, rj)—{i E V: 3t' e [t,t + A] s.t. x t [t'] <m[t ]+rj}. 

Observe that if we choose 77 < e = (A M — A m )/A, v < (A M — A m )/2, and A < S(u), then 
we are guaranteed that for any t > and t > t , X M (t, t , A, 77) D X m (t,t , A,rj) n A = $. 
That is, with these choices of 77, u, and A, no malicious node can be in both Xj[,f(t, to, A, 77) and 
X m (t, t , A, 77). This follows because otherwise there exists ti,t 2 E [t,t + A] and k E A such 
that Xk[ti] > M[to] — 77 and Xk\t?\ < m[t } + 77, from which we reach the contradiction 

x k [ti] ~ x k [h] > M[t ] - m[t ] - 277 > Am ~ Am > v. 

We proceed by showing that if we choose 77, v, and A small enough, then no normal node 
can be in both A^t, to, A, 77) and X m (t, t , A, 77) for any t > and t > t - First, we require 
some generic bounds on the normal node trajectories. For i E M with Xi\t'} < M\t'\, we know 
from Lemmas [T| and |3] that for t > t', 

±i [t] = Wi 'J W ( x i W " Xl W ) ^ 5(Af [^] - [t] ) , 

jeVi\Ki[t] 

whenever the derivative exists^, where B — (n — F — 1)/3 is the product of the upper bound on the 
weights (3 and the maximum number of neighboring values used that have value M[t] < M[t ], 
n — 1 — F (since there is a maximum of 77 — 1 neighbors, F of which would be thrown away). 
Using the integrating factor e B( *~*'), and integrating in the sense of Lebesgue, we have 

Xi [t] < XiWe- 13 ^ + M[t']{\ - e- B{t - t,] ), Vt > t'. (7) 
By interchanging the roles of t and t', we have 

Xi [t] > x^e^'-V + M[t]{\ - e B{t '- t] ), Vt < t'. (8) 
Similarly, we can show that for j E M with Xj[t'] > m[t'\, 

Xj[t] > Xj [f\e- B ^ + m[t'](l - e-^-^), Vt > t', (9) 

and 

Xj[t] < x^t'^'-V + m[t](l - e^'-V), Vt < t', (10) 



The solutions of the normal nodes' trajectories are understood in the sense of Caratheodory. Hence, it is possible that the 
derivative of the solution does not exist on a set of points in time of Lebesgue measure zero. 



Now fix 77 < e = (A M - A m )/A, v < (A M - A m )/2, and A < min{5(^), log(3)/S}, and 
suppose % G M fl X M (t, t , A, rj). Then 3t' G [t,t + A] such that xi[t'] > M[t ] — r\. Combining 
this with ®, it follows that for s G [f, t + A], 

Xi[s] > x i [t']e- B( -*' ) + m[t'](l - e- B(s - t,} ) 

> (M[t ] - r / )e- B ( s - i ') + m[t ](l - e^"^) 

> (A M - r / )e- B ^-'') + m[t ] - A^-**-*) 

> m[t ] + (A M - A m )e- B ^ - A ™ ~ A ™ 



>m[t ] + -(A M -A m )e~ BA 

> m[t ] + — - Am > m[t ] + t]. 



where we have used the fact that A < log(3)/£? in deriving the last line. Similarly, using ©, it 
follows that for s G [t,t'\, 

Xi [s] > Zi[f]e B ^-') + M[s](l - e B(i '- s) ) 

> (M[t ] - v)e B(t '~ s) + M[s](l - e B{t '- s) ) 

> M[s] - 7]e B{t ^ s] 



> M[s] - 77 

> . Am — A m 

> A M 

Am + A m A M -A r , 



2 4 
> m[t ) + t]. 



Therefore, % £ X m (t, t , A, 77). 



Similarly, with the given choices for 77, v, and A, if j E Af (1 X m (t, t , A, 77), then it follows 
from © that for s e [t',t+ A], 

Xj[s] < x j [t'}e- B{s - t ' ) + M[t'](l - e^"^) 

< (m[t ] + r/)e- B(s -*' } + M[t ](l - e^"^) 

< M[t ] - (M[t \ - m[t ])e- B ^ + ne~ B ^ 

< M[t ] - (A M - A m )e~ B ^ + Am "^ e -^0 

< M[t ] - - A m )e- BA 

< M[to] - ~ Am < M[t ] - if, 

where we have used the fact that A < log(3)/5 in deriving the last line. Finally, using (flOl) . it 
follows that for s e [t,f], 

Xj[s] < Xj [t']e B ^''^ + m[s](l - e B{t '- s) ) 

< (m[t \ + 7])e Bit '- s) + m[s](l - e B{t '- s) ) 

< m[s] +r]e B{t '~ s) 

< m[s] + 77 

<A m + ^^ 

Am + A m Am — A m 



2 4 
< M[to] - T). 

Thus, j ^ Ajvf(t, t , A, 77). This shows that t , A, 77) and Af m (t, t 0) A, 77) are disjoint for 

appropriate choices of the parameters. 

Next, we show that by choosing e small enough, we can define a sequence of sets, {A^f (£ e + 
fcA, t e , A, efc)}£z^ and {X m (t € + fcA, t e , A, e^)}^^, where iV = |jV|, so that we are guaranteed 
that by the Nth step, at least one of the sets contains no normal nodes. This will be used to show 
that \I/ has shrunk below A M — A m . Toward this end, let e = (A M — A m )/A, v < (A M — A m ) /2, 
and A < min{5(i>), log(3)/5}. Then fix 



e < 



1 



a 



BA\-BA 
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For k = 0, 1, 2, ... , N, define e k = [f (1 - e- BA )e- BA ] 2fc e , which results in e > e 1 > ■ ■ ■ > 
e N > 2e > 0. For brevity, define X^ = X M (t e + kA, t t , A, e k ) and X^ = X m (t t + kA, t t , A, e k ) 
for k = 0, 1, . . . , N. Observe that by definition, there is at least one normal node (the ones 
with extremal values) in X^ and X^, and we have shown above that all of the Xjfc and X^ 
are disjoint. It follows from the fact that there are at most F malicious nodes in the network 
(F-total model) and V is (F + 1, F + 1) -robust, that either 3i G X^ n N or 3i £ X^ n J\f (or 
both) such that i has at least F+ 1 neighbors outside of its set. That is, either i has at least F+ 1 
neighbors ii, z 2 , . . . , if+i such that x ik [t] < M[t e ] — e for all t £ [t £ , t e + A] (if % G D A/"), 
or x ih [t] > m[t e ] + e for all t G [t £ ,t £ + A] (if z G ^ n A/"). Note that it can be shown that 
the minimum in-degree of an (F + 1, F + l)-robust digraph is at least 2F + 1. It follows from 
this that i will always use at least one neighbor's value in its update. Assume i G X®j fl J\f and 
suppose that none of the F + 1 (or more) neighbors outside of X^ are used in its update at 
some time t' G [t e ,t e + A] at which the derivative exists. Then, Xi[t'] < M[to] — eo (otherwise, 
it would use at least one of its F + 1 neighbors' values outside of X^. It follows from © that 

Xi [t e + A] < M[t e ] - e e~ BA . 

Using this with © to upper bound Xi[t] for t G [£ e + A, t e + 2A], we see that 

Xi [t] < M[t e ] - e e~ 2BA < M[U] - e x . 

Therefore, in this case i X]^. Alternatively, assume at least one of the values from its neighbors 
outside of X^ is used for almost all t G [t e ,t e + A]. Then, 



ii[t] < a(M[t e ] — e — Xi[t]) + (B 



a)(M[t e ] - Xi[t\) 



< -Bxi[t] + BM[t e ] - ae , 



for almost all t G [t e ,t e + A]. Using this, we can show 



Xi[t e + A] < Xi[t e ]e 



+ (M[t e ] 



< M[t e ] 




Using this with © to upper bound Xi[t] for t E [t e + A,t e + 2A], we see that for all t E 
[t e + A,t e + 2A], 

Xi[t] < M[t e ] - § (1 

< M[t e ] - f (1 

< M[U] - ei. 

Thus, in either case z ^ Af^. The final step is to show that j £ X^ whenever j is a normal node 
with j X^. Since j ^ A^, it means that Xj[t e + A] > m[t e ] + e . Using this with © to lower 
bound for t E [t e + A, t e + 2A], we see that 

Xj[t] > m[t e ] + e e~ BA > m[t e ] + e x . 

Hence, j is also not in X^, as claimed. Therefore, if z G A^- nftf has at least F + 1 neighbors 
outside of its set, we are guaranteed that \X^ n N\ < \X^ nJ\f\ and \X^nJ\f \ < \X^(lJ\f\. 
Using a similar argument, we can show that if i E X^ fl J\f has at least F + 1 neighbors outside 
of its set, we are guaranteed that \X^nM\ < \X° n nJ\f\ and |A^ nA/] < |A^ nA/"|. 

Now, if both Af^f fl A/" and Af^ fl J\f are nonempty, we can repeat the above argument to show 
that either \X^nAf\ < \X^n Af\ or \X^ nAf\ < \X^ n A/], or both. It follows by induction 
that as long as both X 3 M nJ\f and X^ D M are nonempty, then either |A^ +1 C\M\< \X,{ n A/"| 
or |A^ +1 n jV| < lA'i n J\f\ (or both), for j = 1, 2, . . . . Since \X°nAf\ + |A& n A/"| < N, 
there exists T < N such that at least one of X^nM and A"^ D M is empty. If Xj { fl A/" = 0, 
then M[t e + TA] < M[t e ] - e T < M[t e ] - 2e. Similarly, if A£ n JV = 0, then m[t e + TA] > 
^[*e] + e T > Tn[t e ] + 2e. In either case, ty[t e + TA] < A M — A m and we reach the desired 
contradiction. 

(Sufficiency) [Discrete Time] Because ^ is a nonincreasing function of t, whenever the normal 
nodes are in agreement at time t , then consensus is maintained for t >t . Therefore, fix t > 
and assume *ff[t ] > 0. For t > t and rj > 0, define X M (t,t ,rj) = {j E V: Xj[t] > M[t ] — r/} 
and X m (t,t ,r)) = {j E V: Xj[t] < m[t ] + rj}. Define e = \&[to]/2 and define = aej-i 
for = 1, 2, . . . , N — 1, where iV = A/". It follows that ej = a- 3 e > 0. By definition, the sets 
A'm^oj *tb eo) and X m (t , t , e ) are nonempty and disjoint. Because I? is (F + 1, F + l)-robust 
and there are at most F malicious nodes in the network (F-total model), it follows that either 



- e- BA )e- B ^- A h 



- e~ BA )e- BA e 



there exists % E X M (t , t , e ) D M or there exists i E X m (t , t , e ) PI N, or there exists such i in 
both, such that i has at least F+l neighbors outside of its set. Therefore, if i E X M (t , t , e ) rW 
(with at least F+l neighbors outside its set), then 

Xi[t + 1] = Xi[t ] + WijftolXjlto] 

jeJi\R.i[t ] 

< a(M[t ] - e ) + (1 - a)M [t ] 

< M[t ] - ae = M[t ) - e x . 

Note that for any normal node not in X M (t ,t , e ), the above inequality holds because any 
normal node always uses its own value in the update. From this, we conclude lA^to + l, to, ei) D 
J\f\ < \X M (to,t ,e ) nAf\. Similarly, if % E X m (t , to, e ) nJV (with at least F + l neighbors 
outside its set), then 

Xi[t + 1} = Xi[t ] + WijltolXjlto] 

jeJi\TZi[t ] 

> a(m[t ] + e ) + (1 - a)m[t ] 

> m[t ] + ae = m[t ] + e 1 . 

Similarly as above, this inequality holds for any normal node not in X m (t , t , e ). From this, 
we conclude 

|A^(f + Mo,ei)n.A/l < \X m (t ,t ,e )nJ\f\. 

By repeating this analysis, we can show by induction that as long as both X M (t +j, t , €j)r\J\f 
and X m (to + j,to,€j) H M are both nonempty, then either \X M (t + j + l,t ,ej+i) PI A/"| < 
|*m(*o + j, to, Cj-) n Af\, or |A^(*„ + J + 1, to, e i+1 ) n Af\ < \X m (t + j, t , e 3 ) D jV|, or both. 
Since \X M (t , t , e ) H A/"| + | A^(t , t , e ) DjV| < |jV| = AT, there exists T < N such that one 
of the sets X M (to + T, t , e*r) H M, X rn (t + T, t , e T ) n A/", or both, is empty. It follows that in 
the former case, M[t + T\ < M[t ] — e r , and in the latter case, m[t + T] > m[t ] + e r . Since 
e > €\ > ■ ■ ■ > €t > ejv-i > 0, we have 

*[t +iV - 1] - *[t ] < *[t + T] - [t ] 

< (M[t + T] - M[t ]) + (m[t ] - m[t + T]) 

< — t T < —ejsr-i. 



Therefore, V[t + N - 1] < $[t ](l - « 7V ~ 1 /2). Define c = (1 - aF' 1 /2). Since c is not a 
function of t and £ was chosen arbitrarily, it follows that 

*[t + k(N-l)] <c k V[to}, 

for all k G Z . Because c < 1, it follows that ty[t] — > as t — > oo. ■ 
When the network is time- varying, one can state the following corollary of the above theorem. 
Corollary 2: Consider a time- varying network modeled by a directed graph V[t] = {V, S[t]} 

where each normal node updates its value according to ARC-P with parameter F. Then, resilient 

asymptotic consensus is achieved under the F-total malicious model if there exists t > such 

that V[t] is (F + 1, F + l)-robust, Vt > to. 

Proof: [Continuous Time] The proof follows the contradiction argument of the proof of 

Theorem |3j but here we use the dwell time assumption. In this case, let 

A<min{6(z/),log(3)/5,^}. 

Fix 



1 

e < - 



a 



BA\ -BA 



-(l-e-^)e 
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and let t' e > be the time such that M[t] < A M + e and m[t] > A rn - e for all t > t' e 
and define t' = m&x{t ,t' e }. Then, associated to the switching signal cr(t), we define t e as the 
next switching instance after t', or tl itself if there are no switching instances after t' . Since 
A < t/N, the same sequence of calculations can be used (as in the proof of Theorem |3]) to 
show that W[t e + TA] < A M - A m . 

[Discrete Time] The argument in the proof of Theorem |3] holds for t >t . Hence, 

V[t + k(N-l)]<(*V[t ], 

for all k G Z . Because c < 1, it follows that \&[t] — > as t — > oo. ■ 
To illustrate these results on the examples of Section [V] the graphs in Figs. [Q |2] and |3] 
can withstand the compromise of at most 1 malicious node in the network using ARC-P with 
parameter F — 1 (each graph is (2,2)-robust but not (3,3)-robust). This is not to say that it is 
impossible for the normal nodes to reach consensus if there are, for example, two nodes that 
are compromised. Instead, these results say that it is not possible that any two nodes can be 
compromised and still guarantee resilient asymptotic consensus using ARC-P with parameter 
F = 2. 



B. F -Local Model 

Theorem 4: Consider a time-invariant network modeled by a directed graph V = {V,£} 
where each normal node updates its value according to ARC-P with parameter F. Then, resilient 
asymptotic consensus is achieved under the F-local malicious model if the network topology is 
(2F + l)-robust. Furthermore, a necessary condition is for the topology of the network to be 
(F + 1) -robust. 

Proof: The necessity proof is given in 1)341 . The sufficiency proof follows the same line as 
that of Theorem |3] In continuous time, the main difference is that the sets of nodes Xm and X m 
include only normal nodes. That is, for any t > 0, t > t , A > 0, and rj > 0, define 

X M (t,t Q ,A,r))={i E M: 3t' E [t, t + A] s.t. xtf] > M[t ] - r)} 

and 

X m (t,t , A,rf)={i E M: 3t' E [t,t + A] s.t. x^t'] < m[t ] +7]}. 

Likewise, for k — 1, 2, . . . , N, the definitions of X M and X^ are modified to include only normal 
nodes. The analysis showing that X\ { and X^ are disjoint still holds. By definition, it follows that 
X^ and X^ are nonempty. Since the network is (2F + l)-robust, either 3i E X^ or 3i E X^, 
or both, such that i has at least 2F + 1 neighbors outside of its set. If such i is in X^, then 
at most F of the neighbors are malicious (F-local model) and the others are normal with value 
Xj[t] < M[t e ] — eo for t E [t e , t e + A). The remaining argument follows the same line as that of 
Theorem (Notice in this case that the uniform continuity assumption on the malicious nodes 
is not needed). 

In discrete time, the sets Xm and X m are defined to include only normal nodes. Then, the 
(2F + l)-robust assumption under the F-local model ensures at least one normal value outside 
of either X M or X m will be used in the update. The rest of the analysis is identical to the proof 
of Theorem |3l ■ 

As with the F-total model, we have the following corollary (whose proof follows the same 
line as that of Corollary |2]). 

Corollary 3: Consider a time- varying network modeled by a directed graph V\t] = {V,E[t]} 
where each normal node updates its value according to ARC-P with parameter F. Then, resilient 
asymptotic consensus is achieved under the F-local malicious model if there exists t > such 
that V[t\ is (2F + l)-robust, Vt > t . 



To illustrate these results, consider the 3-robust graph of Fig. [21 Recall that this graph cannot 
generally sustain 2 malicious nodes as specified by the 2-total model; it is not (3,3)-robust. 
However, under the 1 -local model, it can sustain two malicious nodes if the right nodes are 
compromised. For example, nodes 1 and 4 may be compromised under the 1 -local model and 
the normal nodes will still reach consensus. This example illustrates the advantage of the F-local 
model, where there is no concern about global assumptions. If a digraph is (2F + l)-robust, then 
up to F nodes may be compromised in any node's neighborhood, possibly resulting in more 
than F malicious nodes in the network (as in the previous example). 

VI. SIMULATIONS 

This section presents a numerical example to illustrate our results. In this example, the network 
is given by the (2,2)-robust graph shown in Fig. |4] Since the network is (2,2)-robust, it can 
sustain a single malicious node in the network under the 1 -total model. Suppose that the node 
with the largest degree, node 14, is compromised and turns malicious. The nodes have continuous 
dynamics and the normal nodes use either the Linear Consensus Protocol (LCP) given in © 
or ARC-P for their control input. In either case, the weights are selected to be unity for all 
neighboring nodes that are kept, with the self-weights selected as — di for LCP and |7^[t]| — d« 
for ARC-P for each normal node i G M. The initial values of the nodes are shown in Fig. |4] 
beneath the label of the node's value. The goal of the malicious agent is to drive the values of 
the normal nodes to a value of 2. 




Fig. 4. (2,2)-Robust Network topology. 

The results for this example are shown in Fig. |5] It is clear in Fig. |5£a) that the malicious node 
is able to drive the values of the normal nodes to its value of 2 whenever LCP is used. On the 



other hand, the malicious node is unable to achieve its goal whenever ARC-P is used. Note that 
due to the large degree of the malicious node, it has the potential to drive the consensus process 
to any value in the interval [0, 1] by choosing the desired value as its initial value and remaining 
constant. However, this is allowed with resilient asymptotic consensus (because the consensus 
value is within the range of the initial values held by normal nodes). Another observation is that 
the consensus process in the case of ARC-P is slower than LCP; this is to be expected, due to 
the fact that ARC-P effectively removes certain edges from the network at each time instance. 




Malicious node 
■ Normal nodes 
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t(s) 



(a) LCP. 




(b) ARC-P. 



Fig. 5. Malicious node attempts to drive the values of the normal nodes to a value of 2. The malicious node succeeds whenever 
LCP is used, but fails whenever ARC-P is used. 



VII. DISCUSSION 

The notion of graph connectivity has long been the backbone of investigations into fault 
tolerant and secure distributed algorithms. Indeed, under the assumption of full knowledge of 
the network topology, connectivity is the key metric in determining whether a fixed number of 
malicious adversaries can be overcome. However, in large scale systems and complex networks, 
it is not practical for the various nodes to obtain knowledge of the global network topology. 
This necessitates the development of algorithms that allow the nodes to operate on purely local 
information. This paper continues and extends the work started in lfT6l . lfT8l . 11341 . and represents 
a step in this direction for the particular application of distributed consensus. Using the ARC-P 
algorithm developed in [fT6l . the notion of robust graphs introduced in 11341 . and the extensions 
of each presented here, we characterize necessary/sufficient conditions for the normal nodes 
in large-scale networks to mitigate the influence of adversaries. We show that the notions of 
robust digraphs are the appropriate analogues to graph connectivity when considering purely 
local filtering rules at each node in the network. Just as the notion of connectivity has played 
a central role in the existing analysis of reliable distributed algorithms with global topological 
knowledge, we believe that robust digraphs (and its variants) will play an important role in the 
investigation of purely local algorithms. 

In a recent paper, developed independently of our work, Vaidya et al. have characterized the 
tight conditions for resilient consensus using only local information whenever the threat model 
is Byzantine and the scope of threat is F-total 11321 . The network constructions used in ll32l are 
very similar to the robust digraphs presented here. In particular, the networks in ll32l also require 
redundancy of information flow between subsets of nodes in the network in a single hop. 

Finally we summarize the main works related to resilient consensus using only local informa- 
tion in Table HI In this table, we include only works on resilient consensus (also referred to as 
Byzantine approximate consensus, or just approximate consensus in the literature) in synchronous 
networks that use only local information, with no relaying of information across the network 
and with networks that are not complete (since complete networks provide global information 
and have high communication cost). Further discussion about the relationship of the results in 
this paper (and in |[T6l . |[T8l . [1321 . [1341 ) to approximate consensus can be found in 041 and 113211 . 



TABLE I 

Related work for resilient consensus in synchronous networks using only local information (no 
nonlocal information, no relays, and the network is not complete). 



Threat Model 

Scope 


Byzantine 


Malicious 


F-total 


ED, (32) 


1181. this paper 


F-local 




1341. this paper 
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